Kerberos V5 refuses authentication because Kerberos checksum?verification failed: Bad encryption type

Kevin Coffman kwc at citi.umich.edu
Fri Feb 15 09:32:00 EST 2008


On Fri, Feb 15, 2008 at 12:43 AM, Victor Sudakov
<vas at mpeks.no-spam-here.tomsk.su> wrote:
> Steven Miller wrote:
>  > >
>  > > What could be the reason that I cannot telnet from
>  > > FreeBSD to Solaris 10
>  > > with the following error:
>  > >
>  > > Connected to oracle.sibptus.tomsk.ru.
>  > > Escape character is '^]'.
>  > > [ Trying mutual KERBEROS5
>  > > (host/oracle.sibptus.tomsk.ru at SIBPTUS.TOMSK.RU)... ]
>  > > [ Kerberos V5 refuses authentication because
>  > > Kerberos checksum verification failed: Bad
>  > > encryption type ]
>  > > [ Trying KERBEROS5
>  > > (host/oracle.sibptus.tomsk.ru at SIBPTUS.TOMSK.RU)... ]
>  > > [ Kerberos V5 refuses authentication because
>  > > Kerberos checksum verification failed: Bad
>  > > encryption type ]
>  > > Password:
>  > I believe that solaris (as as solaris 9) only supports
>  > des-cbc-crc encrypion.
>
>  Actually, there *is* a des-cbc-crc key in the keytab, why wouldn't it just
>  use it?
>
>  # klist -e -k /etc/krb5/krb5.keytab
>  Keytab name: FILE:/etc/krb5/krb5.keytab
>  KVNO Principal
>  ---- -----------------------------------------------------------------------
>    1 host/oracle.sibptus.tomsk.ru at SIBPTUS.TOMSK.RU (DES cbc mode with CRC-32)
>    1 host/oracle.sibptus.tomsk.ru at SIBPTUS.TOMSK.RU (etype 2)
>    1 host/oracle.sibptus.tomsk.ru at SIBPTUS.TOMSK.RU (DES cbc mode with RSA-MD5)
>    1 host/oracle.sibptus.tomsk.ru at SIBPTUS.TOMSK.RU (Triple DES cbc mode with HMAC/sha1)

probably because your client is getting a Triple DES service ticket
from the KDC, since that would be the strongest encryption type [that
it thinks the service supports].  If the Solaris machine can only do
DES, then re-issue the keytab with only a DES key:

ktadd -e des-cbc-crc:normal ost/oracle.sibptus.tomsk.ru at SIBPTUS.TOMSK.RU

K.C.



More information about the Kerberos mailing list